CVS Pharmacy, Inc. must essentially admit that it contributed to the opioid epidemic by filling forged prescription painkillers during what some consider to be the height of the epidemic. CVS has agreed to pay $3.5 million to resolve allegations that 50 of its stores violated the Controlled Substances Act by filling forged prescriptions for prescription painkillers more than 500 times between 2011 and 2014, which is currently one of the largest settlements of its kind. The pharmacy has also entered into a three-year compliance agreement with the Drug Enforcement Administration (DEA) requiring it to maintain and enhance the programs it has developed in recent years for detecting and preventing diversion of controlled substances.

The allegations came after the federal government conducted two DEA investigations into CVS’ activities after receiving calls reporting forged oxycodone prescriptions. The first investigation involved CVS pharmacies throughout Massachusetts and New Hampshire and identified 403 instances at 40 CVS stores where forged prescriptions were filled. The second investigation, which focused solely on the Boston area, found over 120 filled forged prescriptions at 10 CVS locations. A handful of people were involved in nearly all of the forgeries involving an estimated street value of over $1 million.

Although the company had some protections in place, the government spent time looking into whether CVS pharmacists continually ignored red flags such as computer system band on individuals receiving addictive painkillers. “When pharmacies ignore red flags that a prescription is fraudulent, they miss a critical opportunity to prevent prescription drugs from entering the stream of illegal opiates on the black market…Although CVS is currently undertaking corrective steps to curb the tide of diversion, this settlement pushes CVS to go further and holds the company accountable for its past conduct,” said United States Attorney Carmen M. Ortiz commented on the settlement.

DEA regulations indicate that pharmacists have a responsibility to ensure that he or she is filling only valid prescriptions that were written for a legitimate medical purpose by a practitioner who is managing the care of that individual. The responsibility requires that pharmacists identify and resolve any red flags which may indicate that a prescription could be forged or is otherwise invalid.

“DEA registrants like CVS have a corresponding responsibility to dispense controlled substances in accordance with the Controlled Substance Act. When pharmacies fail to adhere to these responsibilities, it allows for the diversion of prescription pain medication, which contributes to the widespread abuse of opiates, is the gateway to heroin addiction, and is devastating our communities,” said DEA Special Agent in Charge Michael J. Ferguson.

What this investigation makes clear is that authorities aren’t just looking at the forgers themselves. Pharmacies will need to ensure that they are complying with the DEA regulations and that they are keeping a lookout for any red flags. As is the case with CVS, pharmacists who look the other way will be forced to face stiff penalties for their failures to keep their eyes open.

Beginning in 2017, states will have the ability to revisit the Patient Protection and Affordable Care Act’s (ACA’s) private insurance expansion via ACA innovation waivers, which is in addition to the ability to modify state Medicaid plans via a waiver of federal Medicaid law. A new analysis from researchers at the Guttmacher Institute argue that reproductive health advocates should monitor these waivers closely, because they could have significant implications for sexual and reproductive health and rights.

Medicaid waivers

Waivers under Section 1115 under the Social Security Act have been available for use since 1965. Most states are operating under at least one of these waivers. After the Supreme Court’s 2012 decision in National Federation of Independent Business v. Sebelius, states gained considerable leverage to alter state Medicaid plans in their negotiations with CMS to adjust to the new requirements of the ACA. According to the Guttmacher study, “In the field of sexual and reproductive health, Medicaid waivers are perhaps best known as the original means by which states have expanded eligibility for family planning coverage to women and men ineligible for broader Medicaid.” Currently, there are six states which took advantage of this and expanded Medicaid via an experimental waiver of federal requirements.

Medicaid innovation waivers

In 2017, states will also have the ability to use ACA innovation waivers, which are authorized under section 1332 of the ACA. These waivers offer states the ability to modify major pieces of the ACA, such as the individual mandate and the employer mandate. They can also change all of the major aspects of the ACA’s private insurance marketplaces. State changes under innovation waivers, however, may not result in less comprehensive coverage, less affordable coverage or provide fewer residents with coverage. The waivers must also be budget neutral for the federal government.

Should they decide to use an innovation waiver, states will be required to gain approval from the federal government (from HHS and the Department of the Treasury), obtain public input and analyze the governmental impact. Legislation would have to be passed for changes to be made, and states will need to renew the waivers approximately every five years.

In December, 2015, the government provided significant guidance on what can and cannot be modified under these innovation waivers. This guidance explained four so-called “guardrails” to determine what states can and cannot do. According to the guidance, the federal government will look not only at the overall population, but also at the more vulnerable population groups to determine whether the state coverage is at least as comprehensive as it would be in the absence of the waiver. States will not be able to use projected savings from changes within Medicaid to help finance expanded private-sector coverage for higher-income groups via ACA innovation waivers. They will not receive help from the federal government to make changes to the marketplaces, and should states decide to change their marketplaces, they will have to do so on their own. Further, the Internal Revenue Service will not have the power to issue state-specific rules about affordability tax credits and states will have to handle this on their own as well.

Potential

While Medicaid waivers have been used to expand eligibility, there are many factors which could swing the availability of reproductive health benefits in the other direction under Medicaid innovation waivers. According to Guttmacher,”the next administration has the opportunity to weaken these protections in ways that might undermine access to sexual and reproductive health care and providers. Alternatively, the next administration could help states further advance access to comprehensive coverage and care, including sexual and reproductive health care.”

With the availability of the innovation waiver coming into play in 2017, states are beginning to eyeball just what changes they can make. They are also keeping close watch on the election season for fall 2016. Depending on the results of this election, the federal government could potentially change that guidance document. The Guttmacher analysis points out that, “advocates should be on the lookout for Medicaid and ACA innovation waivers that would restructure payment rules and network adequacy requirements in ways that could impact reproductive health providers.” The ACA’s preventive services guarantees, such as coverage protections for contraception, HIV and other sexually transmitted disease screening, and breastfeeding support is not something that can be changed under an ACA innovation waiver, but Guttmacher advises that “reproductive health advocates should keep an eye on state attempts to expand formularies and other utilization control tools available to plans, to ensure that they do not somehow conflict with the coverage protections for contraception and other preventive services.”

Over two-thirds of state benchmark health plans violate requirements to cover treatment for addiction disorders put into place by the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148). The National Center on Addiction and Substance Abuse (the Center) surveyed addiction treatment benefits offered among 2017 Essential Health Benefits (EHB) benchmark plans and found none offered what it considers to be “adequate” addiction treatment benefits. The main problem, the Center believes, is that although the ACA requires coverage of substance use disorder (SUD) services as an EHB and requires that the SUD benefits be provided at parity with comparable medical/surgical benefits, the ACA does not specifically define what those benefits should be. It leaves that up to the states, and that is where they fall short.

Analysis

The Center analyzed those benefits offered within each of the 50 states to determine the minimum level of benefits available to those covered in state exchange plans. Each state’s 2017 EHB-benchmark plan was then reviewed to determine whether it: (1) satisfies the ACA’s requirements regarding coverage of addiction benefits; (2) complies with parity requirements; (3) provides adequate care for addiction by covering the full range of critical benefits without imposing harmful treatment limitations; and (4) provides enough information to fully evaluate compliance and adequacy of benefits. Clouding the review, the Center noted, is the problem that plan documents for 88 percent of state plans lacked sufficient detail for it to fully evaluate parity, compliance, and the adequacy of addiction benefits.

Most commonly missing

Many plans either frequently exclude or do not explicitly cover benefits related to residential treatment and the use of methadone maintenance therapy. The Center found that 18 percent of the plans lacked compliance with parity requirements, while 31 percent of the plans contained possible parity violations. Over half of plans violate the EHB requirement for tobacco cessation coverage and nearly half violate the ACA’s requirement for coverage of prescription drugs to treat addiction. Although the ACA specifically prohibits the use of per-beneficiary annual or lifetime dollar limits for EHB, Texas and Michigan are in violation of this requirement. Further, Alaska’s plan does not even cover services and supplies relating to diagnosis and treatment of addiction.

“Addiction is a chronic disease that often goes untreated, and when patients can’t access addiction treatment it can lead to disability and premature death,” said the report. “In order to fulfill the ACA’s intent of dramatically expanding access to addiction treatment, states should revise their EHB benchmark plans to comply with the law … This will help to close the addiction treatment gap, improve the health of patients seeking addiction treatment, and decrease costs for the health plans in the long-term.”

Organizations experiencing data breaches are once again paying a higher price than the year before, according to a study by the Ponemon Institute and sponsored by IBM. According to the report, the average cost of a data breach is now $4 million, up from the $3.8 million in the same report for 2015.

Price tag

Prices for dealing with data breaches are consistently rising. In 2016, the average cost per lost or stolen record according to the report is $158, up from $154 in the 2015 report and $145 in the 2014 study. This increase represents a 29 percent increase since 2013.

The average cost of a stolen or lost record varies depending on the industry involved, with lost or stolen health care records worth $355, reaching a record high in 2016. It is also important to note that legal costs associated with breaches are rising as well. Forty-seven states in the United States have separate breach notification laws. Additionally, the average cost of a legal settlement after a breach in the U.S. now stands at $880,000.

Root cause

When analyzing the root causes of data breaches, the study found that 48 percent of data breaches were the result of malicious attacks to an organization. According to Larry Ponemon, Chairman and Founder of the Ponemon Institute, “these breaches also take the most time to detect and contain. As a result, they have the highest cost per record.” Much damage can be done before the breach is even identified. The report found that the average time to identify a breach now stands at 201 days.

What can be done?

The report recommended that organizations have a response team at the ready. Ponemon noted that “Investments in certain data loss prevention controls and activities such as encryption and endpoint security solutions are important for preventing data breaches.” According to the report, by putting some prevention plans in place, organizations can experience significant cost savings. The process can effectively be streamlined, saving time and money.